JP2011193378A - Communication system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a communication system in which a load related to VPN (Virtual Private Network) connection established with a relay terminal by a server is reduced. <P>SOLUTION: A packet aggregation node 2 receives a packet with an IP address of a client 5 as a transmission source and with a virtual IP address of a server 1 as a destination, converts the packet into a packet with an IP address of the packet aggregation node 2 as a transmission source and with an IP address of a packet transfer node 3 corresponding to the virtual IP address of the server 1 as a destination by encapsulating the packet, and transmits the packet. The packet transfer node 3 receives the packet from the packet aggregation node 2, converts the packet into the unencapsulated packet by decapsulating the packet, converts the converted packet into a packet with the IP address of the packet transfer node 3 as a transmission source and with a real IP address corresponding to the virtual IP address of the server 1 as a destination by encapsulating the converted packet, and transmits the packet. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a communication system having a server to which a virtual IP address is assigned and a relay terminal that relays a packet addressed to the server.

  Cloud computing, which creates a plurality of virtual machines on a physical server and realizes easy construction of a large-scale system, has become widespread. In general, a server running on the cloud provides a service via a network, and thus a method for protecting the server from threats such as DDoS attacks is required.

  Non-Patent Document 1 proposes a method corresponding to diversification of attack paths. Specifically, it is assumed that there is a threat that measures to disable security measures and control devices such as intrusion detection systems and firewalls at the boundaries of the network are divided, and without changing the physical configuration of the network. In addition, a technique for protecting a terminal by a technique independent of the network topology has been proposed. In Non-Patent Document 1, as means for realizing the technique, a “relay terminal” that advertises route information addressed to a virtual IP address that accommodates a server is arranged on the network, and a server to which a virtual IP address is assigned is provided. It describes that a VPN (Virtual Private Network) connection is established with a relay terminal (tunneling is set), and the relay terminal relays a packet addressed to a virtual IP address.

  The packet sent from the client that communicates with the server by the above method arrives at the server via the relay terminal that has established a VPN connection with the server according to the route information advertised on the network. By monitoring and controlling the traffic at the terminal, it becomes possible to realize the security monitoring and control for the server on the virtual segment without depending on the physical position of the server.

  In the above method, traffic monitoring / control is performed by a relay terminal. When an attack on a server is detected on a relay terminal, a filtering rule is generally set so as to delete a packet destined for that server. However, since packets arrive at the relay terminal from various places, there is a problem that normal packets other than attack packets are also deleted.

  Non-Patent Document 2 assumes a threat of performing a Distributed Denial of Service (DDoS) attack after spoofing an IP address in order to conceal the source of an illegal packet among attacks that violate network security. However, methods for dealing with the threat have been proposed. In general, this type of attack is difficult to detect and prevent at a single monitoring point using a firewall or intrusion detection system. In addition, when introducing a mechanism in which a plurality of terminals on a network cooperate, a large-scale configuration change of an existing facility is required. Therefore, a mechanism for attack detection / protection by a terminal at the boundary between the server and the virtual segment is proposed, which applies the communication method proposed in Non-Patent Document 1 to accommodate the server in a virtual segment.

  In the method proposed in Non-Patent Document 2, one server establishes a VPN connection with all relay terminals on the network. This makes it possible to monitor and control traffic on a plurality of relay terminals. Since the filtering rule is set only in the relay terminal that detects an attack on the server, normal packets that pass through relay terminals other than the relay terminal that detected the attack normally reach the server.

Takamasa Sugawara, Ayumu Kubota, Yu Miyake, “Proposal of Server Terminal Protection Method Using Virtual Segments in Intranet”, September 2008, IEICE Society Conference Takamasa Sugawara, Ayumu Kubota, Yu Miyake, “Proposal of DDoS attack defense method without IP traceback”, March 2009, IEICE General Conference

  However, in the method proposed in Non-Patent Document 2, each server establishes a VPN connection with all the relay terminals on the network, so the processing load for establishing a large amount of VPN connection and the management load for VPN connection Will occur.

  The present invention has been made in view of the above-described problems, and an object of the present invention is to provide a communication system capable of reducing a load related to a VPN connection established by a server with a relay terminal.

  The present invention has been made to solve the above problems, and a server having a real IP address and a virtual IP address, and a plurality of first relay terminals that relay packets transmitted from the communication terminal to the server And a plurality of second relay terminals that receive the packet relayed by the first relay terminal and transmit the packet to the server through a VPN connection established with the server. The first relay terminal includes a first receiving unit that receives a packet having the IP address of the communication terminal as a transmission source and the virtual IP address of the server as a destination, and the first reception unit. By encapsulating the received packet, the IP address of the first relay terminal is set as the transmission source, and the IP address of the second relay terminal corresponding to the virtual IP address of the server is set. A first conversion unit that converts the packet into a first packet; and a first transmission unit that transmits the packet encapsulated by the first conversion unit. A second receiving means for receiving a packet from the relay terminal, and converting the packet received by the second receiving means into a packet before being encapsulated by decapsulation, and encapsulating the converted packet By means of the second conversion means, the second conversion means for converting the IP address of the second relay terminal into a packet whose source is the real IP address corresponding to the virtual IP address of the server, and the second conversion means Second transmission means for transmitting the encapsulated packet, and the server has third reception means for receiving a packet from the second relay terminal, and the server A communication system is characterized in that a VPN connection is established with only one second relay terminal.

  In the communication system of the present invention, the server further requests a VPN connection to the second relay terminal, and notifies the second relay terminal of its own virtual IP address and real IP address. The first relay terminal further includes first storage means for storing information related to a correspondence relationship between the virtual IP address of the server and the IP address of the second relay terminal, and the second relay terminal. When the relay terminal is notified of the information related to the correspondence, the setting means for setting the information related to the correspondence in the first storage means, and when the packet is received by the first receiving means, Search request means for making a search request including information related to the virtual IP address of the server to the other first relay terminal or the second relay terminal, the other first relay terminal or the second relay terminal 2 relay end When receiving the search request from the end, the IP address of the second relay terminal corresponding to the virtual IP address of the server indicated by the information included in the search request is acquired from the first storage unit, and the search Response means for responding to the requesting terminal with the IP address of the second relay terminal acquired from the first storage means, and the second relay terminal further includes the first relay terminal When a VPN connection request is received from the storage unit, the setting unit, the response unit, and the server, the information related to the correspondence relationship is transmitted to the other first relay terminal or the second relay terminal. And a notification means for notifying.

  In the communication system of the present invention, the information related to the correspondence relationship is managed by a distributed hash table.

  According to the present invention, since the server establishes the VPN connection with only one relay terminal, the load related to the VPN connection can be reduced.

It is a block diagram which shows the structure of the communication system by one Embodiment of this invention. It is a block diagram which shows the function structure of the communication system by one Embodiment of this invention. It is a sequence diagram which shows the initial stage node starting procedure in one Embodiment of this invention. It is a sequence diagram which shows the node joining procedure in one Embodiment of this invention. It is a sequence diagram which shows the node withdrawal procedure in one Embodiment of this invention. It is a sequence diagram which shows the server public start procedure in one Embodiment of this invention. It is a sequence diagram which shows the server public stop procedure in one Embodiment of this invention. It is a sequence diagram which shows the communication procedure in one Embodiment of this invention. It is a block diagram which shows the function structure of the packet aggregation node and packet forwarding node by one Embodiment of this invention. It is a sequence diagram which shows the attack detection and defense procedure in one Embodiment of this invention. It is a reference figure showing the structure of the log in one embodiment of the present invention. It is a reference figure for demonstrating the attack detection method in one Embodiment of this invention. It is a reference figure which shows the hash space in a DHT network.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. FIG. 1 shows the configuration of a communication system according to an embodiment of the present invention. The communication system includes a server 1, a packet aggregation node 2 (first relay terminal), a packet forwarding node 3 (second relay terminal), a management node 4, and a client 5 (communication terminal).

  The server 1 is an FTP (File Transfer Protocol) server, a Web server, or the like, and provides a predetermined service. A virtual IP address (referred to as a virtual IP address in this specification) is assigned to the server 1 together with an IP address used in the actual network (referred to as a real IP address in this specification).

  The packet aggregation node 2 relays a packet transmitted from the client 5 to the server 1 to the packet forwarding node 3. The packet forwarding node 3 relays the packet relayed by the packet aggregation node 2 to the server 1. The management node 4 manages the assignment of virtual IP addresses to the server 1 and the states of the packet aggregation node 2 and the packet forwarding node 3.

  A VPN connection is established between the server 1 and the packet forwarding node 3. Thereby, the server 1 is accommodated in a virtual segment (virtual segment) on the network. The relationship between the server 1 and the packet forwarding node 3 is one-to-one, that is, since the server 1 establishes a VPN connection with only one packet forwarding node 3, a packet addressed to a specific server 1 It always passes through one packet forwarding node 3 that has established a connection. As described above, since the server 1 establishes the VPN connection with only one packet forwarding node 3, the processing load and the VPN connection for establishing the VPN connection than when the server uses the method of establishing the VPN connection with all the relay terminals. Management load is reduced.

  Packets for the same server 1 can arrive at the packet forwarding node 3 from a plurality of packet aggregation nodes 2. The packet forwarding node 3 distinguishes from which packet aggregation node 2 the packet is sent to the server 1 to monitor the amount of packets to the server 1 and detects an attack to determine which packet aggregation node 2 the attack packet comes from. I can know. When an attack is detected, the packet aggregation node 2 that relays the attack packet among the plurality of packet aggregation nodes 2 performs packet filtering that deletes the packet addressed to the virtual IP address of the server 1 that is the attack target. The server 1 can be protected from attacks. A packet that arrives from a packet aggregation node 2 other than the packet aggregation node 2 that is performing packet filtering is regarded as not an attack packet and is forwarded to the server 1.

  When establishing a VPN connection with the packet forwarding node 3, the server 1 makes a VPN connection request to one specific packet forwarding node 3. Since this VPN connection request and establishment is performed autonomously between the server 1 and the packet forwarding node 3, one management terminal manages the state of all the packet forwarding nodes 3, and the server 1 requests a VPN connection. Therefore, a centralized mechanism for responding to the packet forwarding node 3 information is not required.

  The packet aggregation node 2 and the packet forwarding node 3 constitute a DHT network using a distributed hash table (DHT). As a result, the load for managing the correspondence between the server 1 and the packet forwarding node 3 is distributed between the packet aggregation node 2 and the packet forwarding node 3.

  FIG. 2 shows a functional configuration of the communication system related to packet relay. The server 1 includes a server application 10 and a server disclosure unit 11. The server application 10 provides a service in response to a request from the client 5. The server disclosure unit 11 performs processing related to server disclosure for constructing a virtual segment that accommodates the server 1.

  The packet aggregation node 2 includes a relay unit 20, a DHT management unit 21, a DHT storage unit 22, and an advertisement unit 23. The relay unit 20 relays the packet transmitted from the client 5 to the packet forwarding node 3. The DHT management unit 21 performs processing for participating in the DHT network and manages information stored in the DHT storage unit 22. The DHT storage unit 22 stores information indicating the correspondence between the IP address of the packet forwarding node 3 that has established a VPN connection with the server 1 and the virtual IP address of the server 1. More specifically, the DHT storage unit 22 is calculated from the IP address of the packet forwarding node 3 that has established a VPN connection with the server 1 and the virtual IP address of the server 1 using SHA1 (Secure Hash Algorithm 1). The hash value is stored in association with it. In the DHT network, the information indicating the correspondence relationship is not necessarily managed by the packet forwarding node 3 that establishes the VPN connection with the server 1, but the packet aggregation node 2 and the packet forwarding node 3 constituting the DHT network. Managed in either.

  The advertising unit 23 displays route information related to the route addressed to the virtual IP address according to OSPF (Open Shortest Path First) which is a kind of routing protocol so that the packet addressed to the virtual IP address of the server 1 reaches the packet aggregation node 2. Advertise on the network. When the client 5 transmits a packet addressed to the virtual IP address of the server 1, the packet arrives at the packet aggregation node 2 closest to the client 5 by forwarding the router on the network according to this path information.

  The packet forwarding node 3 includes a relay unit 30, a server disclosure unit 31, a DHT management unit 32, a DHT storage unit 33, and an advertisement unit 34. The relay unit 30 relays the packet transmitted from the packet aggregation node 2 to the server 1. The server disclosure unit 31 performs processing related to server disclosure for constructing a virtual segment that accommodates the server 1. The DHT management unit 32 performs processing for participating in the DHT network, and manages information stored in the DHT storage unit 33. Similar to the DHT storage unit 22, the DHT storage unit 33 associates the IP address of the packet forwarding node 3 that has established a VPN connection with the server 1 and the hash value calculated by using SHA1 from the virtual IP address of the server 1. And remember.

  The advertising unit 34 advertises the route information related to the route addressed to the anycast address on the network according to OSPF. When the server 1 makes a search request for the packet forwarding node 3 addressed to the anycast address when making a VPN connection related to server publication, a response is returned from the packet forwarding node 3 closest to the server 1. The server storage unit 35 stores the virtual IP address and real IP address of the server 1 in association with each other.

  The management node 4 includes a virtual IP address storage unit 40, an address management unit 41, a setting information storage unit 42, a node management unit 43, and a node list storage unit 44. The virtual IP address storage unit 40 stores a virtual IP address assigned to the server 1. The address management unit 41 manages allocation of virtual IP addresses to the server 1. The setting information storage unit 42 stores setting information including a range of virtual IP addresses notified to the packet aggregation node 2, a range of anycast addresses notified to the packet forwarding node 3, and the like. Each packet aggregation node 2 is notified of a common virtual IP address range. Each packet forwarding node 3 is notified of a common anycast address range. The node management unit 43 manages information on the packet aggregation node 2 and the packet forwarding node 3 constituting the DHT network. The node list storage unit 44 stores a node list that is a list of the packet aggregation node 2 and the packet forwarding node 3 that constitute the DHT network.

  The client 5 has a client application 50. The client application 50 makes a service request to the server 1.

  Next, construction and management of a DHT network by the packet aggregation node 2 and the packet forwarding node 3 will be described. In the DHT network, joining and leaving of nodes constituting the network occur. When a node joins, it joins the DHT network by performing a joining process on any node that already configures the DHT network. On the other hand, when a node leaves the DHT network, the routing table is reconstructed and communication is continued with the remaining nodes. At this time, the information possessed by the detached node is retained, for example, by synchronization between adjacent nodes on the DHT network. Note that when a node constituting the DHT network is activated for the first time, since there is no node to be subjected to the subscription process, an initial node activation process is performed. In the following, specific methods will be described using a program that implements Chord, a kind of algorithm for constructing a DHT network, as an example.

  FIG. 3 shows a sequence when an initial node (packet aggregation node 2 or packet forwarding node 3) which is the first node constituting the DHT network joins. In the initial node, the DHT management unit 21 (32) transmits a node list request indicating a node list acquisition request to the management node 4 (step S100). It is assumed that the IP address of the management node 4 is known. In the management node 4, the node management unit 43 receives the node list request and determines whether or not the node IP address is registered in the node list in the node list storage unit 44 (step S110).

  When the first node joins, since the node IP address is not registered in the node list, the management node 4 determines that the initial node activation process is necessary, and an initial node activation request indicating a request for the initial node activation process Is transmitted to the node that is the transmission source of the node list request (step S120). The initial node activation request includes a virtual IP address range and an anycast address range based on the setting information in the setting information storage unit 42.

In the initial node, the DHT management unit 21 (32) receives the initial node activation request and executes the initial node activation process (step S130). Specifically, a bootstrap node start command as shown below is executed.
start-dhash --root dhash-a -j sure.lcs.mit.edu:10000 -p 10000 &

  By executing the initial node startup process, a distributed hash table is created in the DHT storage unit 22 (33). As described above, the constituent elements of this table are a pair of an IP address of the packet forwarding node 3 that has established a VPN connection with the server 1 and a hash value calculated from the virtual IP address of the server 1 using SHA1. is there. When the initial node activation processing is completed, these pieces of information are not stored in the table. At the time when the initial node activation process is completed, the information of all nodes (one) in the DHT network is managed by the initial node alone.

  After execution of the initial node activation process, the DHT management unit 21 (32) notifies the management node 4 of its own IP address by transmitting a node subscription notification indicating that the initial node has joined the DHT network (step S140). ). In the management node 4, the node management unit 43 receives the node subscription notification, and adds the IP address notified by the node subscription notification to the node list in the node list storage unit 44 (step S150).

  When the initial node is the packet aggregation node 2, after executing the initial node activation process, the advertising unit 23 of the packet aggregation node 2 obtains the route information related to the route addressed to the virtual IP address in the range notified by the initial node activation request. Advertise on the network. When the initial node is the packet forwarding node 3, after executing the initial node activation process, the advertising unit 34 of the packet forwarding node 3 relates to the route addressed to the anycast address in the range notified by the initial node activation request. Information is advertised on the network (step S160).

  If the management node 4 receives a node list request from another node after receiving the node list request from the initial node, a message indicating retransmission of the node list request is sent Sent to the node. For this reason, processing for a node list request from another node is not executed until the DHT network by the initial node is constructed.

  FIG. 4 shows a sequence when a new node (packet aggregation node 2 or packet forwarding node 3) joins when a DHT network is configured by one or more nodes. In the newly joined node, the DHT management unit 21 (32) transmits a node list request indicating a node list acquisition request to the management node 4 (step S200). It is assumed that the IP address of the management node 4 is known. In the management node 4, the node management unit 43 receives the node list request and determines whether or not the node IP address is registered in the node list in the node list storage unit 44 (step S210).

When another node has already joined, since the node IP address is registered in the node list, the management node 4 transmits the node list to the node that is the transmission source of the node list request (step S220). At this time, the range of the virtual IP address and the range of the anycast address based on the setting information in the setting information storage unit 42 are added to the node list. In the newly joined node, the DHT management unit 21 (32) receives the node list and executes node joining processing for the nodes described in the node list (step S230). Specifically, a command for joining an existing node as shown below is executed.
start-dhash --root dhash-b -j sure.lcs.mit.edu:10000 &

  By executing the node joining process, a distributed hash table is created in the DHT storage unit 22 (33). In the node joining process, communication is performed with a node having an IP address described in the node list, and settings for joining the DHT network are performed.

  After the node joining process is executed, the DHT management unit 21 (32) notifies the management node 4 of its own IP address by transmitting a node joining notification indicating that the node has newly joined the DHT network (step S240). ). In the management node 4, the node management unit 43 receives the node subscription notification, and adds the IP address notified by the node subscription notification to the node list in the node list storage unit 44 (step S250).

  When the newly joining node is the packet aggregation node 2, after the node addition processing is executed, the advertisement unit 23 of the packet aggregation node 2 performs route information related to the route addressed to the virtual IP address in the range notified from the management node 4. Advertise on the network. When the newly joining node is the packet forwarding node 3, after the node joining process is executed, the advertisement unit 34 of the packet forwarding node 3 relates to the route addressed to the anycast address in the range notified from the management node 4. The route information is advertised on the network (step S260).

  Hereinafter, details of the process of joining the DHT network in step S230 will be described. DHT distributes a distributed hash table that stores pairs of managed information hash values (hereinafter referred to as Key) and managed information (hereinafter referred to as Value) to a plurality of nodes. It is a technique to manage efficiently. In the present embodiment, the virtual IP address of the server 1 corresponds to Key, and the IP address of the packet forwarding node 3 corresponds to Value. In this embodiment, the packet aggregation node 2 and the packet forwarding node 3 constituting the DHT network manage the IP address (Value) of the packet forwarding node 3 to be managed based on its own IP address.

In Chord used as an example of a DHT network implementation algorithm in this embodiment, the nodes constituting the DHT network are arranged according to the ID of each node. Specifically, the ID assigned to each node is a hash value calculated using SHA-1 from the IP address of each node. 2 ¹⁶⁰ hash space is used in Chord, each node is defined as a point on the circumference. Figure 13 shows the assignment of ID in the case where the hash space and 2 ⁴ for simplicity. Nodes having IDs from 0 to 15 are arranged.

  In Chord, each node constituting the DHT network manages a value corresponding to an ID located between its own node ID and an adjacent node ID. In FIG. 13, when nodes with node IDs 0, 2, 6, 9, 11, 13, and 14 are joined to the DHT network, node 0 with node ID 0 corresponds to node IDs 15 and 0. Manage key / value pairs.

  In Chord, each node holds three types of routing tables called Successor, Predecessor, and Fingertable. These routing tables are different from the key / value pairs (virtual IP address of the server 1 and IP address of the forwarding node) that each node holds in the distributed hash table of the DHT storage unit 22 (33). Each routing table is held in the DHT storage unit 22 (33).

Successor is a routing table that holds the IP address of the node located closest to the node ID in the increasing direction. Predecessor is the IP address of the node positioned closest to the node ID in the decreasing direction. Is a routing table that holds Fingertable is a routing table that holds IP addresses that match the following formulas in a 2 ^m hash space.
Node IP address = IPadress [next (Z)], where Z = (Node_ID + 2 ⁱ ) mod2 ^m , i = 0 to ^m
Next (Z) in the above expression is a function that returns the ID of the next existing node as viewed clockwise from Z (that is, the direction in which the node ID increases) in the hash space. IPadress [X] is a function that returns the IP address of the node whose ID is X.

  The addition of a new node to the DHT network means that a node is added at a point where no node exists on the circumference. In the following, the procedure for joining will be described by taking as an example the case where the node ID15 (node 15) joins the DHT network in which the node ID12 (node 12) and the node ID18 (node 18) exist.

  The node 15 calculates an ID that is a hash value from its own IP address. Subsequently, the node 15 requests the IP address of the node whose own ID is to be held from the node described in the node list. The node that has received the request responds if it holds the ID of the node 15 and makes a request to another node if it does not. As a result, the node 15 acquires the IP address of the node 18.

  Subsequently, the node 15 transmits a join message to the node 18 and records the IP address of the node 18 in the Successor. Further, the node 15 is notified of the IP address of the node 12 to be held in the Predecessor from the node 18, and records the IP address of the node 12 in the Predecessor.

  Subsequently, the node 15 receives the IP address corresponding to the part to be managed by the node 15 from the IP address that the node 18 has held in the Fingertable, and records it in the Fingertable. In addition, the node 15 is a key / value pair corresponding to a part to be managed by the node 15 among the key / value pairs that the node 18 has held in the distributed hash table of the DHT storage unit 22 (33). Is received from the node 18 and recorded in the DHT storage unit 22 (33). The node 15 notifies the node 12 of its own subscription, and the node 12 uses the IP address of the node 18 recorded in the successor held by the node 12 based on the notification from the node 15 as the IP address of the node 15. Change to

  FIG. 5 shows a sequence when a node (packet aggregation node 2 or packet forwarding node 3) that has joined the DHT network leaves the DHT network. In the node that withdraws from the DHT network, the DHT management unit 21 (32) executes node withdrawal processing (step S300). Subsequently, the DHT management unit 21 (32) notifies its own IP address by transmitting a node withdrawal notification indicating withdrawal from the DHT network to the management node 4 (step S310). In the management node 4, the node management unit 43 receives the node withdrawal notification and deletes the IP address notified by the node withdrawal notification from the node list in the node list storage unit 44 (step S320).

  When a node withdraws as described above, Successor, Predecessor, and Fingertable are updated in a node adjacent to this node on the hash space. At this time, as a process for taking over the information held by the withdrawn node, the DHT prevents a loss of information by arranging a copy of the data held by the neighboring node.

  Next, server disclosure for constructing a virtual segment that accommodates the server 1 will be described. The server 1 acquires a virtual IP address from the management node 4 in advance. In the management node 4, the address management unit 41 generates a virtual IP address in advance and stores it in the virtual IP address storage unit 40. The server disclosure unit 11 of the server 1 accesses the management node 4 and registers information necessary for assigning a virtual IP address. The address management unit 41 of the management node 4 selects a virtual IP address from the virtual IP address storage unit 40 and notifies the server 1 of the virtual IP address. The address management unit 41 manages the assignment of virtual IP addresses so that the same virtual IP address is not assigned to a plurality of servers 1. The notification of the virtual IP address to the server 1 is performed by issuing a public key certificate, but detailed description thereof is omitted. This public key certificate is used when the server 1 accesses the packet forwarding node 3. However, in this embodiment, a description of a known communication method using the public key certificate is omitted.

  FIG. 6 shows a sequence at the start of disclosure of the server 1 that acquired the virtual IP address. It is assumed that the server 1 knows in advance the anycast address used by the packet forwarding node 3. The server disclosure unit 11 of the server 1 transmits a connection request for the packet forwarding node 3 to the anycast address (step S400). This connection request arrives at the packet forwarding node 3 closest to the server 1. The server disclosure unit 31 of the packet forwarding node 3 receives the connection request from the server 1 and transmits a response notifying its own IP address to the server 1 (step S410).

  The server public part 11 of the server 1 receives the response from the packet forwarding node 3, and transmits a VPN connection request indicating a VPN connection request to the IP address notified by the response (step S420). By this VPN connection request, the virtual IP address and real IP address of the server 1 are notified to the packet forwarding node 3. Thereafter, various settings for VPN connection are performed in both the server 1 and the packet forwarding node 3, but detailed description thereof is omitted.

The server disclosure unit 31 of the packet forwarding node 3 notifies the DHT management unit 32 of the virtual IP address notified from the server 1. The DHT management unit 32 calculates a hash value of the virtual IP address, and uses the IP address and hash value of the packet forwarding node 3 as the DHT storage unit 22 (33) of the packet aggregation node 2 or the packet forwarding node 3 constituting the DHT network. The process of registering in the distributed hash table is performed (step S430). Specifically, the following “put” command is executed. Note that (a) indicates a hash value, and (b) indicates an IP address of the packet forwarding node.
put <(a)><(b)>

  Further, the DHT management unit 32 registers the virtual IP address and the real IP address of the server 1 as a set in the server storage unit 35 (step S440).

  Hereinafter, the details of the process of registering the pair of the hash value of the IP address of the packet forwarding node 3 and the virtual IP address of the server 1 in the distributed hash table in step S430 will be described. The DHT management unit 32 performs a process of searching for a node to be managed using the hash value of the virtual IP address of the server 1 as a key. An example in which node 0 performs a search in the DHT network shown in FIG. Assuming that the hash value of the virtual IP address of the server 1 is 12, the DHT management unit 32 has next (12) = 13 according to the next function described above, so the node that should manage the target information is the node 13. Ask for that. Based on this, the DHT management unit 32 generates a message that includes a pair of the hash value of the IP address of the packet forwarding node 3 and the virtual IP address of the server 1 and requests the search for the node 13, and passes it to the relay unit 30.

From the definition of Fingertable described above, the node IDs held in the Fingertable of node 0 are 2 (i = 0, 1 [z = 1, 2]), 6 (i = 2 [z = 4]), 9 (i = 3 [z = 8]). Since 2 ³ <13 <2 ⁴ with respect to the node ID 13 of the node 13, the node 0 searches the node 9 corresponding to the node ID when i = 3 [z = 8]. Ask. That is, the relay unit 30 transmits the above message to the node 9.

  Node IDs held in the Fingertable of node 9 are 11 (i = 0, 1 [z = 10, 11]), 13 (i = 2 [z = 13]), 2 (i = 3 [z = 1] ), The node 9 holds the information of the node 13. Therefore, the message from node 0 is transferred from node 9 to node 13. In the node 13, the relay unit 20 (30) receives the message and passes it to the DHT management unit 21 (32). The DHT management unit 21 sets the hash value of the IP address of the packet forwarding node 3 and the virtual IP address of the server 1 included in the message in the DHT storage unit 22 (33).

  In this way, in the DHT network, a rough search is performed first, and as the search target is approached, the finer search is performed gradually, making it more efficient than tracing the adjacent nodes in order from the nodes that make up the DHT network. Search is realized. As described above, the pair of the hash value of the IP address of the packet forwarding node 3 and the virtual IP address of the server 1 is managed by the packet aggregation node 2 or the packet forwarding node 3 constituting the DHT network.

  FIG. 7 shows a sequence when the server 1 is stopped. The server disclosure unit 31 of the packet forwarding node 3 detects that the VPN connection is disconnected by detecting an explicit VPN connection cancellation notification from the server 1 or a VPN connection cancellation due to a failure or the like, and performs DHT management. The unit 32 is notified (step S500).

  When the DHT management unit 32 receives the notification from the server disclosure unit 31, the DHT management unit 32 deletes the pair of the virtual IP address of the server 1 that is the connection partner of the disconnected VPN connection and its own IP address from the distributed hash table. A process of searching for a node that manages the hash value of the virtual IP address of the server 1 whose key is released as a key is performed (step S510). At this time, a search is performed in the same manner as the processing in step S430, and the message is transferred to a desired node. In the node that has received the message, the DHT management unit 21 (33) deletes the hash value that matches the hash value included in the message and the IP address of the packet forwarding node 3 associated therewith from the distributed hash table.

  Next, communication between the server 1 and the client 5 will be described. FIG. 8 shows a sequence when the client 5 communicates with the server 1. The client 5 can obtain the virtual IP address (IP_virtual) of the server 1, for example, by requesting the DNS server to resolve the name of the server 1, and as a result of being notified of the IP address of the server 1 from the DNS server. It is. The client application 50 of the client 5 transmits a packet whose destination is the client 5 (IP_client) and whose destination is the server 1 (IP_virtual) (step S600). Since the packet aggregation node 2 advertises the route addressed to IP_virtual, the packet transmitted from the client 5 arrives at the packet aggregation node 2 closest to the client 5.

  The relay unit 20 of the packet aggregation node 2 receives the packet from the client 5 and notifies the DHT management unit 21 of the virtual IP address (IP_virtual) of the server 1 included in the received packet. The DHT management unit 21 calculates a hash value of the virtual IP address (IP_virtual), and performs a process of searching for a node that manages this hash value as a key (step S610).

  At this time, a search is performed in the same manner as the processing in step S430, and the message is transferred to a desired node. In the node that received the message, the DHT management unit 21 (33) searches the distributed hash table for a hash value that matches the hash value included in the message, and the IP address of the packet forwarding node 3 that is associated with the matching hash value To get. The DHT management unit 21 (33) generates a response message for notifying the acquired IP address and passes it to the relay unit 20 (30). The relay unit 20 (30) transmits a response message to the packet aggregation node 2 that has requested the search. In the packet aggregation node 2 that requested the search, the relay unit 20 receives this response message, and acquires the desired IP address of the packet forwarding node 3.

  The relay unit 20 encapsulates the packet received from the client 5 (step S620). In this encapsulation, an IP header is added to the packet from the client 5. In this IP header, the IP address (Rc) of the packet aggregation node 2 is recorded as the source IP address, and the IP address (Rs) of the packet forwarding node 3 is recorded as the destination IP address. Therefore, a packet whose destination is the client 5 (IP_client) and the destination of the server 1 (IP_virtual) is a packet whose destination is the packet aggregation node 2 (Rc) and the destination of the packet forwarding node 3 (Rs). Is converted to The relay unit 20 transmits the encapsulated packet to the packet forwarding node 3 (step S630).

  The relay unit 30 of the packet forwarding node 3 receives the packet from the packet aggregation node 2 and decapsulates it (step S640). In this decapsulation, the IP header added to the packet at the packet aggregation node 2 is removed. Therefore, a packet destined for the packet aggregation node 2 (Rc) and destined for the packet forwarding node 3 (Rs) becomes a packet destined for the client 1 (IP_client) and destined for the server 1 (IP_virtual) as a result of decapsulation. Is converted to

  Subsequently, the relay unit 30 searches the information in the server storage unit 35 using the virtual IP address (IP_virtual) of the server 1 included in the packet as a key, and the real IP corresponding to the virtual IP address (IP_virtual) of the server 1 An address (IP_real) is acquired (step S650). Furthermore, the relay unit 30 encapsulates the packet decapsulated in step S640 (step S660). In this encapsulation, an IP header in which the IP address (Rs) of the packet forwarding node 3 is recorded as the source IP address and the real IP address (IP_real) of the server 1 is recorded as the destination IP address is added. Therefore, the decapsulated packet is converted into a packet having the packet forwarding node 3 (Rs) as the transmission source and the server 1 (IP_real) as the destination by encapsulation. The relay unit 30 transmits the encapsulated packet to the server 1 (step S670).

  The server application 10 of the server 1 receives the packet from the packet forwarding node 3 and processes it appropriately (step S680). The received packet is decapsulated by middleware (not shown). The server application 10 transmits a response packet for the client 5 to the packet forwarding node 3 (step S690). This response packet is encapsulated with respect to a packet destined to the server 1 (IP_virtual) and the client 5 (IP_client) as the destination, and the packet forwarding node 3 (Rs) is destined to the server 1 (IP_virtual) as the source. With an IP header added.

  The relay unit 30 of the packet forwarding node 3 receives the packet from the server 1 and decapsulates it (step S700). By this decapsulation, the packet from the server 1 is converted into a packet whose destination is the server 1 (IP_virtual) and whose destination is the client 5 (IP_client). The relay unit 30 transmits the decapsulated packet to the client 5 (step S710).

  Next, attack detection and defense against the server 1 in the present embodiment will be described. Since the packet addressed to the server 1 is transferred to the server 1 by the packet transfer node 3 that configures the virtual segment that accommodates the server 1, the packet transfer node 3 can grasp the traffic to the server 1. FIG. 9 shows functional configurations of the packet aggregation node 2 and the packet forwarding node 3 relating to attack detection and defense.

  The packet aggregation node 2 has the relay unit 20 described above. The relay unit 20 includes a transmission / reception unit 20 a that transmits and receives packets, a filtering setting unit 20 b that sets a filtering rule notified from the packet forwarding node 3 in the relay unit 20, and a filtering rule that is notified from the packet forwarding node 3 And a filtering unit 20c that deletes packets according to the above.

  The packet forwarding node 3 includes the relay unit 30, log storage unit 36, and attack detection unit 37 described above. The relay unit 30 includes a transmission / reception unit 30a that transmits and receives packets, and a log recording unit 30b that records information of packets relayed to the server 1 in a log. The log storage unit 36 stores a log including information on packets relayed by the relay unit 30 to the server 1. The attack detection unit 37 detects an attack based on the log stored in the log storage unit 36.

  FIG. 10 shows an attack detection and defense sequence for the server 1. When the transmission / reception unit 30a relays a packet from the packet aggregation node 2 to the server 1, the log recording unit 30b in the packet transfer node 3 acquires information such as an IP address from the packet, and logs in the log storage unit 36 Add to. FIG. 11 shows a log structure for one packet. From the IP header information added to the packet encapsulated by the packet aggregation node 2 and the IP header of the decapsulated packet, the IP address of the client 5 that sent the packet, and the virtual IP of the server 1 that is the packet destination The IP address of the packet aggregation node 2 that relayed the address and packet can be acquired. These and the IP address of the packet forwarding node 3 are recorded in the log.

  The attack detection unit 37 periodically determines whether or not an attack has occurred regarding the traffic from the packet aggregation node 2 to the server 1 based on the log in the log storage unit 36 (step S800). More specifically, the attack detection unit 37 acquires the time, the virtual IP address of the server 1 and the IP address of the packet aggregation node 2 as a set from the log, and arranges the information acquired from the log in time series. FIG. 12 is an example of information arranged in time series. Characters such as “h1” in the time indicate arbitrary numerical values related to the hour, minute, and second. In addition, a plurality of the same characters do not always indicate the same numerical value. “Server A” and “packet aggregation node X” in the virtual IP address of server 1 and the IP address of packet aggregation node 2 are actually the virtual IP address of server 1 and the IP address of packet aggregation node 2. In FIG. 11, the IP address is replaced with the name of a server or the like for easy understanding of the contents.

  The attack detection unit 37 aggregates the number of packets (traffic amount) by using the same virtual IP address of the server 1 and the IP address of the packet aggregation node 2 as the unit of attack detection, and calculates the number of packets per second. calculate. As an example, when the number of packets per second is less than 10, the attack detection unit 37 determines that no attack has occurred, and when the number of packets per second is 10 or more, the attack detection unit 37 Determines that an attack has occurred. In FIG. 12, the traffic to the server A relayed by the packet aggregation node Y is detected as an attack. According to the above attack detection method, it is possible to monitor the traffic to the server 1 and detect the attack for each packet aggregation node 2 that relays the packet to the server 1.

  When an attack is detected, the attack detection unit 37 notifies the packet aggregation node 2 that forwarded the packet related to the traffic that detected the attack, information for notifying a filtering rule for deleting a packet addressed to the virtual IP address of the server 1. Generate and notify the relay unit 30. This information includes the virtual IP address of the server 1. The transmission / reception unit 30a transmits a message including this information to the packet aggregation node 2 (step S810). In the example shown in FIG. 12, it is determined that the traffic to the server A via the packet aggregation node Y is an attack, and the filtering rule for deleting the packet addressed to the virtual IP address of the server A with respect to the packet aggregation node Y is Be notified.

  In the packet aggregation node 2, the transmission / reception unit 20 a receives a message from the packet forwarding node 3. The filtering setting unit 20b sets the filtering to the filtering unit 20c so as to delete the packet addressed to the specific virtual IP address according to the filtering rule included in the message (step S820). Thereafter, the filtering unit 20c receives from the client 5 when the virtual IP address of the server 1 that is the destination of the packet received from the client 5 by the transmission / reception unit 20a matches the virtual IP address set in step S820. Delete the packet. The transmission / reception unit 20a does not transmit the deleted packet.

  As described above, according to the present embodiment, since the server 1 establishes a VPN connection with only one packet forwarding node 3, the VPN connection is more effective than the case where the server establishes a VPN connection with all relay terminals. Can reduce the processing load and the management load of VPN connection. In addition, since the VPN connection request and establishment are autonomously performed between the server 1 and the packet forwarding node 3, one management terminal manages the state of all the packet forwarding nodes 3, and the VPN connection from the server 1 is established. There is no need for a centralized mechanism for receiving the request and responding to the packet forwarding node 3 information.

  Further, by providing a plurality of packet aggregation nodes 2 on the upstream side of the packet forwarding node 3 to which the server 1 is connected, the packet forwarding node 3 has a server for each direction in which packets arrive (for each packet aggregation node 2). Traffic to 1 can be monitored. Further, when an attack is detected in the packet forwarding node 3, a filtering rule for deleting a packet addressed to the virtual IP address of the server 1 is notified to the packet aggregation node 2 through which the packet related to the attack passes, and packet aggregation is performed. Since filtering is performed at the node 2, traffic related to the attack can be blocked. At this time, normal traffic in which no attack is detected via the other packet aggregation node 2 is not blocked.

  Further, the packet aggregation node 2 and the packet forwarding node 3 constitute a DHT network using a distributed hash table, so that the load managing the correspondence relationship between the server 1 and the packet forwarding node 3 is reduced. It can be distributed among the nodes 3.

  As described above, the embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the above-described embodiments, and includes design changes and the like without departing from the gist of the present invention. .

  DESCRIPTION OF SYMBOLS 1 ... Server, 2 ... Packet aggregation node, 3 ... Packet forwarding node, 4 ... Management node, 5 ... Client, 10 ... Server application, 11, 31 ... Server release , 20, 30 ... relay unit, 20a, 30a ... transmission / reception unit, 20b ... filtering setting unit, 20c ... filtering unit, 21, 32 ... DHT management unit, 22, 33 ... DHT storage unit, 23, 34 ... advertising unit, 30b ... log recording unit, 35 ... server storage unit, 36 ... log storage unit, 37 ... attack detection unit, 40 ... Virtual IP address storage unit, 41 ... Address management unit, 42 ... Setting information storage unit, 43 ... Node management unit, 44 ... Node list storage unit, 50 ... Client application

Claims (3)

A server having a real IP address and a virtual IP address; a plurality of first relay terminals that relay packets transmitted from a communication terminal to the server; and a packet relayed by the first relay terminal; A communication system comprising a plurality of second relay terminals that transmit packets to the server by a VPN connection established with the server,
The first relay terminal is
First receiving means for receiving a packet whose source is the IP address of the communication terminal and whose destination is the virtual IP address of the server;
By encapsulating the packet received by the first receiving means, the IP address of the first relay terminal is a transmission source, and the IP address of the second relay terminal corresponding to the virtual IP address of the server is the destination First conversion means for converting the packet into:
First transmission means for transmitting the packet encapsulated by the first conversion means,
The second relay terminal is
Second receiving means for receiving a packet from the first relay terminal;
The packet received by the second receiving means is converted into a packet before being encapsulated by decapsulation, and the IP address of the second relay terminal is set as a transmission source by encapsulating the converted packet, Second conversion means for converting the packet to a destination having a real IP address corresponding to the virtual IP address of the server;
Second transmission means for transmitting the packet encapsulated by the second conversion means,
The server has a third receiving means for receiving a packet from the second relay terminal;
The communication system characterized in that the server establishes a VPN connection with only one second relay terminal. The server further includes a connection request means for requesting a VPN connection to the second relay terminal and notifying the second relay terminal of its own virtual IP address and real IP address,
The first relay terminal further includes:
First storage means for storing information relating to a correspondence relationship between the virtual IP address of the server and the IP address of the second relay terminal;
Setting means for setting the information on the correspondence relationship in the first storage means when the information on the correspondence relationship is notified from the second relay terminal;
Search for making a search request including information related to the virtual IP address of the server to the other first relay terminal or the second relay terminal when a packet is received by the first receiving means Request means;
When the search request is received from another first relay terminal or the second relay terminal, the IP of the second relay terminal corresponding to the virtual IP address of the server indicated by the information included in the search request Response means for obtaining an address from the first storage means and responding to the IP address of the second relay terminal obtained from the first storage means with respect to the terminal that has made the search request ,
The second relay terminal further includes
The first storage means;
The setting means;
The response means;
And a notification unit configured to notify the information related to the correspondence relationship to the other first relay terminal or the second relay terminal when a VPN connection request is received from the server. The communication system according to 1.   The communication system according to claim 2, wherein the information related to the correspondence relationship is managed by a distributed hash table.

Images